Jamf Admins, lets take a minute to talk about hardcoded values in scripts.

It’s great that we’re a social community that publishes shares and modifies each other’s work on GitHub, but please sanitize that information.

Take this as an example:

For privacy to the original poster i’ve removed identifying information.Note: Even though mm2270 is listed as the author of this script, the above was reposted under another GitHub account.

In plain text, this GitHub repo had the jss url, username, and password readily available… Slight problem… Anyone with the know how can access that JSS.

One way to mitigate part of the problem is use a local account with your JSS, and enable SSO. That way they only have access to your JSS via the api, it’s a bit more work todo damage but it still could be done. NEVER use a Directory account for scripts.

Better yet, is NEVER hardcode your scripts with passwords.

You can do this in a few following ways.

Hardcode them in a plist

*This should never be done on a client machine

First, create a plist with your values.

Then you can load them as part of your script.

If you’ve got python-jss, or autopkgr already installed you can use those values in your script instead.

Prompt for the values when you run your script

Using osascript

Using shell

Passed as arguments through command line

Passed through the JSS

You can also use the above while executing locally, keeping mind $1, $2 and $3 are automatically assigned by the JSS

Related

3 Comments

it still has a worry of sanitizing scripts before pushing to GitHub. Since it is still Hardcoding the data, but if the jss_url and the encrypted strings are separated and used only in Parameters passed via Jamf, then it becomes a bit harder to have all the information to mess with someone’s Jamf Pro Server.